So I'm trying to extract multiple fields using the Extract property in props.conf
The source file looks like
my.prop.1=1
my.prop.2=2
my.prop.3=3
my.prop.4=4
And I want what EACH prop becomes a field. HENCE I did not used a prefix in the regex.
[my_sourcetype]
LINE_BREAKER = ((?!))
DATETIME_CONFIG=CURRENT
TRUNCATE=100000
KV_MODE = none
EXTRACT-watt_grouping = (?m)(.+?)=(.*)
I already used multiple variations of this regex and nothing seems to work. Is there anything blocking the field extraction ?
EDIT:
At search time I provided the conrresponding pipe and it seems to extract quite nicely: | extract pairdelim=",", kvdelim="=", auto=f, limit=500, mv_add=t .. Anyone knows how to make this work in transforms.conf ? I tried it with DELIMS = "\n","=" but it breaks in a specific property prop.256 = ?'- \#&@^\!%*\:$./\ ;,~+=)(|}{][><` .. It extracts the previous 255 props quite nicely though
... View more